Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

How to prevent web user to access file unless they log on website

Status
Not open for further replies.
BG12424

BG12424

Programmer
Jun 4, 2002
717
US
Let's say that I have a file called stored on the webserver, but I don't want any user to be able to reference that file unless they are logged in or registered on my website.

1) Should I store files that shouldn't be referenced by all users on the webserver? Or should I store them rather on the harddrive of the server where IIS sits?
2) If my file can be stored on the webserver, then how can I prevent users from accessing that file without first logging in to my website first?

Please advise to my scenarios, thanks. regards,
Brian

AG00280_.gif
 
Sort by date Sort by votes
pretty simple
rename the zip file to some other name (ex:asd.dgg).
give a link called "Click Here", when the user clicks there redirect the page to an ASP where there is a check for the username,create a copy of the file(asd.dgg) rename the zip file to username.zip(use the session username) then allow the user to download the file, delete the file username.zip.

the problems
1.instead of myproduct.zip there will be username.zip
2.The file must be deleted only after the user has completed download (which is impossible to find out), i suggest a routine to delete all such unused files.
 
Upvote 0 Downvote
Once a customer purchases a software product from a site, he is redirected to the file to download. The file resides on a website with anonymous access. So anyone who knows the exact URL to the download files can freely download them.

Is there an easier way to do this? It seems like a lot of trouble to go through and would think there might be an easier solution. I will give it a try i guess and see if I can get it to work. I'm kind of stumped here. Thanks for your help. regards,
Brian

AG00280_.gif
 
Upvote 0 Downvote
Brian, not exactly sure this is ur question but...

Don't store the file on the web server. The download link points to a CGI application that reads a cookie to determine that the user is logged in <or whatever> then it sets the content-type and streams the bytes from the file back to the browser. u might be able to do this within a .asp page using the FileSystemObject as well.

the cookie was set by ur .asp application as per ur requirements. -There are only 10 types of people in the world, those who understand binary and those who don't-

-pete
 
Upvote 0 Downvote
Could I set up in the database a filename, maybe something cryptic like AB3A062SA.zip, along with the path to that file and let's say an fileID of 1, then in my asp page have my link to download a file something like:

<a href=&quot;download.asp?fileID=1>Click to download</a>

When the user clicks on this link it then posts to download.asp page where the querystring is used as part of:

select filepath,filename from tblfiles where fileid= request.querystring(&quot;fileID&quot;)

when I open my recordset, then I do a response.redirect(rs(&quot;filepath&quot;) & &quot;/&quot; & rs(&quot;filename&quot;)). This will redirect me to the downloadable file, which won't reveal the path to that file. In essence, this can be any directory on the webserver.

One of my concerns about this if I can do this is that can search engines or spider utilities pick up on this? Thanks regards,
Brian

AG00280_.gif
 
Upvote 0 Downvote
>> response.redirect(rs(&quot;filepath&quot;) & &quot;/&quot; & rs(&quot;filename&quot;)).

that does not hide the path, that actually sends the path to the browser so if the user is watching they can see the path. u can't link to a static file and hide it at the same time. that is why streaming the bytes is the only way to protect against un-authorized users gaining access. of course hackers can still break ur authorization mechanism so then there's that. -There are only 10 types of people in the world, those who understand binary and those who don't-

-pete
 
Upvote 0 Downvote
I've been trying to do some research on the web on this and can't find much.

Do you know any good articles on the web that explain how to allow only for users logged onto a website (using simple username,password checks from an Access DB), then giving that user permissions to download a file. Anyone else out there that is not logged into the website using the above mentioned verification routine (including search engines, spiders, robots, etc) will not be able to download the file. regards,
Brian

AG00280_.gif
 
Upvote 0 Downvote
Brian,

i buried this in my previous post, perhaps u missed it

>> u can't link to a static file and hide it at the same time.

if u have a link (of anykind) to a static file then a crawler engine can find it. each crawler has it's own rulues on how far into a site it will crawl but u won't know until it does.

does that help? -There are only 10 types of people in the world, those who understand binary and those who don't-

-pete
 
Upvote 0 Downvote
Yes, thanks for your help.

However, do you know any good articles on the web that explain how to allow only for users logged onto a website (using simple username,password checks from an Access DB), then giving that user permissions to download a file. Anyone else out there that is not logged into the website using the above mentioned verification routine (including search engines, spiders, robots, etc) will not be able to download the file. regards,
Brian

AG00280_.gif
 
Upvote 0 Downvote
>> explain how to
>> giving that user permissions to download a file

if ur talking about OS level file permission then that is OS dependent and u would research file persmission API's for that OS. -There are only 10 types of people in the world, those who understand binary and those who don't-

-pete
 
Upvote 0 Downvote
vbkris,

You mentioned above:
2.The file must be deleted only after the user has completed download (which is impossible to find out), i suggest a routine to delete all such unused files.

How do you think I should do this? regards,
Brian
AOL IM: FreelanceGaines

AG00280_.gif
 
Upvote 0 Downvote
Another idea would be to have the file sit in a non-http readable directory, when the person has logged in and goes to download, it is copied to a readable directory with a unique name then that directory is deleted later. Steve Davis
hey.you@hahaha.com.au

Me? I can't even spell ASP!
 
Upvote 0 Downvote
Thanks Steve for your input. I visited your website and got a chuckle, quite a big chuckle actually, regarding your page visit counter. regards,
Brian
AOL IM: FreelanceGaines

AG00280_.gif
 
Upvote 0 Downvote
Hi Brian...

There is an article on permissions at the aspfaq web site.

Tom Gahagan
tgahagan@charter.net

REST



If you get a chance to sit out or dance...

I hope you dance. L Wommack
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

leifoet
  • Locked
  • Question
How to send HTML emails with ASP classic?
Replies
0
Views
234
leifoet
leifoet
penguinspeaks
  • Locked
  • Question
READ TEXT FILE BASED ON VARIABLE 1
Replies
2
Views
177
guitarzan
guitarzan
penguinspeaks
  • Locked
  • Question
Return to current location on page after asp processes.
Replies
2
Views
187
penguinspeaks
penguinspeaks
leifoet
  • Locked
  • Question
How to check if a datatable is empty ?
Replies
0
Views
179
leifoet
leifoet
DiDYRO_
  • Locked
  • Question
How do I make a VBS file that can collect dialog-type answers in a local .log file?
Replies
0
Views
149
DiDYRO_
DiDYRO_

Part and Inventory Search

Sponsor

Back
Top